I have been strugling to solve this but still i can not fix it. I have 192.168.1.151 PC and it has 554 and 9001 TCP/UDP open. But i need to publicly access that. In my juniper srx210 i have this following configuration also. But i can not understand its not working.
version 10.0R3.10;
system {
root-authentication {
encrypted-password "secret-password-goes-in-here"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh {
root-login allow;
}
telnet;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
mac 0a:00:xx:00:00:00;
unit 0 {
family inet {
dhcp;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool pool1 {
address 192.168.1.151/32;
}
pool pool2 {
address 192.168.1.41/32;
}
pool pool3 {
address 192.168.1.1/32;
}
pool pool4 {
address 192.168.1.125/32;
}
rule-set ruleset1 {
from zone untrust;
rule rule1 {
match {
destination-address 0.0.0.0/0;
destination-port 554;
}
then {
destination-nat pool pool1;
}
}
rule rule2 {
match {
destination-address 0.0.0.0/0;
destination-port 49152;
}
then {
destination-nat pool pool1;
}
}
rule rule3 {
match {
destination-address 0.0.0.0/0;
destination-port 49500;
}
then {
destination-nat pool pool1;
}
}
rule rule6 {
match {
destination-address 0.0.0.0/0;
}
then {
destination-nat pool pool4;
}
}
rule rule5 {
match {
destination-address 0.0.0.0/0;
destination-port 22;
}
then {
destination-nat pool pool3;
}
}
rule rule4 {
match {
destination-address 0.0.0.0/0;
destination-port 9001;
}
then {
destination-nat pool pool1;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
address-book {
address mydmz 192.168.1.125/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ping;
telnet;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy server-access {
match {
source-address any;
destination-address mydmz;
application any;
}
then {
permit;
}
}
}
}
alg {
sip {
disable;
inactive-media-timeout 90;
maximum-call-duration 3000;
retain-hold-resource;
application-screen {
unknown-message {
permit-nat-applied;
permit-routed;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Best Answer
Your DNAT's look fine, but you did not also create a firewall policy to permit the traffic. You should edit the trust zone's address book and add entries for the hosts on the inside, then create a policy from-zone untrust to-zone trust that matches those destinations and the applications. There are built-in applications you can reference, or you can create your but that is done it its own section at the top of the configuration, not under the security stanza. Here is an example of a policy, to get to this level I typed "edit security polices from-zone untrust to-zone trust". Then inputted the below.